Solution for Continuous Control and Protection of Enterprise Data Based on Authorization Projection

1. A method comprising: identifying a first set of data access controls configured to control access to first data stored on a first system, wherein each data object of the first data is associated with one or more of the first set of data access controls; determining, for each data object of the first data, one or more data access controls of a second set of data access controls of a second system to achieve a level of data security and access that is at least as secure as the first data stored on the first system based on the first set of data access controls for the first data; causing the first data to be imported from the first system and exported onto the second system without changing the first data, the second system having a second set of data access controls different from the first data access controls; mapping one or more of the second set of data access controls to each data object of the first set of data to transform a configuration of the first data access controls into a configuration of the second data access controls; and applying the one or more data access controls of the second set of data access controls to each of the data objects of the first data, thereby providing access control to the first data stored on the second system without changing the first data.

2. The method of claim 1 further comprising producing transformed data by transforming some of the first data and associating first data access controls to the transformed data based on first data access controls associated with the first data.

3. The method of claim 1 further comprising generating test vectors to test the second data access controls applied to the first data stored on the second system.

4. The method of claim 1 wherein the first data comprise a structured arrangement of data elements, wherein the second data access controls are transformed from the first data access controls using an authorization model representative of first data access controls associated with each of the data elements.

5. The method of claim 4 wherein the authorization model represents data access controls based on roles of users who can access the first data.

6. The method of claim 4 wherein the authorization model represents users, groups, and organizations that can access the first data.

7. The method of claim 4 wherein the authorization model represents functions to be performed on the first data.

8. The method of claim 1 wherein when the level of data security and access cannot be mapped into the second system, the method further comprises determining, for each data object of the first data object, one or more data access controls of the second set of data access controls of the second system to achieve a higher level of data security and access than the first set of data access controls of the first system.

9. A method comprising: identifying first data from a first system having first data access controls to control access to first data stored on the first system; identifying a configuration of the first data access controls for accessing the first data; and causing the first data to be imported from the first system and exported onto a second system without changing the first data, the second system having second data access controls different from the first data access controls, and enabling control access to the first data stored on the second system without changing the first data by transforming the configuration of the first data access controls into a configuration of the second data access controls, and applying the configuration of the second data access controls to the first data, thereby providing access control to the first data stored on the second system without changing the first data, wherein the first data comprises a structured arrangement of data elements, wherein the second data access controls are transformed from the first data access controls using an authorization model representative of first data access controls associated with each of the data elements, and wherein the first data access controls comprises access permissions that identify who can add data to the first data and who can modify the first data and constraints on when the first data can be accessed, wherein the authorization model is further representative of constraints on when the first data can be accessed.

10. A computer system comprising: a computer device; and data storage having stored thereon computer executable program instructions which, when executed by the computer device, cause the computer device to: identify a first set of data access controls configured to control access to first data stored on a first system, wherein each data object of the first data is associated with one or more of the first set of data access controls; determine, for each data object of the first data, one or more data access controls of a second set of data access controls of a second system to achieve a level of data security and access that is at least as secure as the first data stored on the first system based on the first set of data access controls for the first data; cause the first data to be imported from the first system and exported onto the second system without changing the first data, the second system having a second set of data access controls different from the first data access controls; map one or more of the second set of data access controls to each data object of the first set of data to transform a configuration of the first data access controls into a configuration of the second data access controls; and applying the one or more data access controls of the second set of data access controls to each of the data objects of the first data, thereby providing access control to the first data stored on the second system without changing the first data.

11. The computer system of claim 10 wherein the computer executable program instructions which, when executed by the computer device, further cause the computer device to produce transformed data by transforming some of the first data and associating first data access controls to the transformed data based on first data access controls associated with the first data.

12. The computer system of claim 10 wherein the computer executable program instructions which, when executed by the computer device, further cause the computer device to generate test vectors to test second data access controls applied to the second data.

13. The computer system of claim 10 wherein the first data comprises a structured arrangement of data elements, wherein the second data access controls are transformed from the first data access controls using an authorization model representative of first data access controls associated with each of the data elements.

14. The computer system of claim 13 wherein the authorization model represents data access controls based on roles of users who can access the first data.

15. The computer system of claim 13 wherein the authorization model represents users, groups, and organizations that can access the first data.

16. The computer system of claim 13 wherein the authorization model represents functions to be performed on the first data.

17. A non-transitory computer readable storage medium having stored thereon computer executable program code configured to cause a computer system to perform steps of: identifying a first set of data access controls configured to control access to first data stored on a first system, wherein each data object of the first data is associated with one or more of the first set of data access controls; determining, for each data object of the first data, one or more data access controls of a second set of data access controls of a second system to achieve a level of data security and access that is at least as secure as the first data stored on the first system based on the first set of data access controls for the first data; causing the first data to be imported from the first system and exported onto the second system without changing the first data, the second system having a second set of data access controls different from the first data access controls; mapping one or more of the second set of data access controls to each data object of the first set of data to transform a configuration of the first data access controls into a configuration of the second data access controls; and applying the one or more data access controls of the second set of data access controls to each of the data objects of the first data, thereby providing access control to the first data stored on the second system without changing the first data.

18. The non-transitory computer readable storage medium of claim 17 wherein the computer executable program code is further configured to cause the computer system to produce transformed data by transforming some of the first data and associating first data access controls to the transformed data based on first data access controls associated with the first data.

19. The non-transitory computer readable storage medium of claim 17 wherein the computer executable program code is further configured to cause the computer system to generate test vectors to test second data access controls applied to the second data.

20. The non-transitory computer readable storage medium of claim 17 wherein the first data comprise a structured arrangement of data elements, wherein the second data access controls are transformed from the first data access controls using an authorization model representative of first data access controls associated with each of the data elements.

21. The non-transitory computer readable storage medium of claim 20 wherein the authorization model represents data access controls based on roles of users who can access the first data.